Edmig wrote:
I don't understand the difference between a relay and a forward
pass, ...
That's because, to the receiver, there's no visible difference. :)
Why would you relay or forward mail for a domain that doesn't give you
whatever authorization you ask for?
I, the MTA, would naturally never relay anything without authentication
(making the relay authorized). But, to a receiver, there's no reliable way
to determine whether I, HELO domain X, sent you the message with MFROM
domain Y immediately or whether I'm the third-party in some forwarding
deal. So, to you, the receiver, there's no reliable way you can "assume
forwarding".
Again:
Why would you relay or forward mail for a domain that doesn't give you
whatever authorization you ask for?
It's called spoofing. :) If a spammer uses one of my domain names in
MFROM, using his own relay, then he does so on purpose, of course. SPF
would tell the receiver that I did NOT authorize his relay to use my
domain name. This is, in effect, the same as a 'rogue' forwarding
scenario: without SPF, you, as receiver, would not be able to tell whether
the connection client is spoofing or whether he's forwarding.
To avoid troubles, the forwarder either makes sure he's listed in
trusted-forwarder.org (though not every receiver may check for that), or,
better, he uses SRS to rewrite MFROM to match a domain his own relay is
authorized to send mail for.
Why do we care? If Y is reputable, and it says X is OK, we have
what we need. If Z is forged, we tell Y, and they fire X.
It'd be a simple matter of granularity. In your example you can either
trust relay X completely, or not at all. A bit crude, don't ya think?
Also, the reputation of relay X is primarily a 'gate' affair, really: if
relay X is bad, and blocklisted somewhere, we wouldn't exchange mail with
it to begin with. A good reputation of relay X may result in a positive SA
score, or some such; but what we're really interested in, is whether relay
X is authorized to use domain Y, used in MFROM. Because, barring relays
that are outright bad, most relays will simply come up 'neutral' (read:
not even listed in a reputation service). So, if we trust domain Y, what
we just want to know then is whether relay X can use it in MFROM.
Mind you, this is not an either-or thingy. Because once you've established
that relay X can use domain Y in MFROM, you can now also reliably run the
reputation service against domain Y!
- Mark
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=82208438-10e45f
Powered by Listbox: http://www.listbox.com